Baltimore (MD) – An independent security consultant firm team claims that Google's Android platform, which is installed on T-Mobile’s G1 smartphone, suffers from a serious buffer overflow bug that enables attackers to remotely execute malicious code and lure users into visiting sites hiding malware. The vulnerability is serious enough to allow the attacker get access to the G1 handset with the same rights as its owner. Google is aware of the security problem and apparently tries to keep information about the vulnerability secret until a patch is deployed.
Independent Security Evaluation (ISE), led by Charlie Miller, who discovered several security flaws in OS X and the iPhone, said that one of the 80+ open-source packages that make up Android is responsible for the exploit due to outdated code. ISE researchers indirectly blamed Google for failing to use a more recent version of the package – a measure that would have fix the known exploit. "Google used an older, still vulnerable version," an ISE alert says. Miller and his ISE team already have the working code in place that showcases security exploit and promise to release it when Android is patched.
Interestingly, Google made a similar mistake when it built Chrome with an older version of WebKit, unnecessarily exposing users to so-called carpet bomb attacks that work in older versions of WebKit, but not in the more recent software.
Miller said that Google asked him to withhold findings from the public until Google released a patch. The move somewhat backfired as Miller was not comfortable with this idea and published his findings. However, he decided not to reveal important details about the flaw in order to avoid an immediate public exploit.
"People should know that there's a problem with the G1 before they buy it," Miller told Computerworld. "I don't want to help the bad guys either, but people should have all the information before they make a decision to buy the phone, I think I'm totally in the right here."